Hi
I know I'm running a very old OS, unfortunately the device isn't
supported and my boss refuses (due to cost) to add support for PIX. So
I'm stuck with what I have.




TIA
Paolo


vbwilliams@neb.rr.com wrote:

>Couldn't tell you why it happened...but you should check to see if
>maybe there was a bug from 6.3(1) to maybe 6.3(5) that would cause
>something like this. You're running a PIX OS that is over 3 years
>old. I would imagine that running something recent might fix this
>issue as well as a bunch you haven't even come across yet.
>
>Victor Williams
>Network Architect
>
>
>----- Original Message -----
>From: Paolo Supino
>Date: Tuesday, July 25, 2006 2:39 pm
>Subject: [fw-wiz] PI X PPTP stopped working
>To: Firewall Wizards Security Mailing List >wizards@listserv.cybertrust.com>
>
>
>
>>Hi
>>
>> A very strange thing happened to me today: A PIX firewall I
>>have,
>>stopped accepting PPTP connections. The only thing that happened
>>before
>>it stopped responding to PPTP connection was that I ran nmap
>>scanner on
>>the subnet this PIX is on (to try and find out whether someone
>>decided
>>to start another computer on it. Apart from this nothing has
>>changed on
>>this subnet for a while including the PIX' configuration. Trying
>>to
>>telnet to port 1723 gives the error: "Could not open a connection
>>to
>>host on port 1723 : Connection failed". Any help solving this
>>problem
>>will greatly appreciated.
>>
>>
>>the PIX configuration is (IP addresses, names and password hashes
>>changed to protect the innocent):
>>
>>: Written by enable_15 at 12:06:45.250 EDT Fri Jun 29 2006
>>PIX Version 6.3(1)
>>interface ethernet0 auto
>>interface ethernet1 auto
>>interface ethernet2 auto
>>nameif ethernet0 outside security0
>>nameif ethernet1 inside security100
>>nameif ethernet2 dmz security50
>>enable password 1234567890 encrypted
>>passwd 0987654321 encrypted
>>hostname fw1
>>domain-name supernova.com
>>clock timezone PST -8
>>clock summer-time PDT recurring
>>fixup protocol ftp 21
>>fixup protocol h323 h225 1720
>>fixup protocol h323 ras 1718-1719
>>fixup protocol http 80
>>fixup protocol ils 389
>>fixup protocol rsh 514
>>fixup protocol rtsp 554
>>fixup protocol sip 5060
>>fixup protocol sip udp 5060
>>fixup protocol sip udp 5060
>>fixup protocol skinny 2000
>>fixup protocol smtp 25
>>fixup protocol sqlnet 1521
>>names
>>name 10.29.22.10 JANEPC
>>name 10.143.103.249 JOHNPC
>>name 10.40.133.0 JACKSNET
>>object-group service SRVCGRP1 tcp
>> port-object eq ftp-data
>> port-object eq ftp
>> port-object eq www
>> port-object eq 990
>> port-object eq https
>> port-object range 23054 23154
>>object-group service SRVCGRP2 tcp
>> port-object eq 28
>> port-object eq 27
>> port-object eq ftp-data
>> port-object eq ftp
>> port-object eq www
>> port-object eq https
>>object-group service SRVCGRP3 tcp
>> port-object eq ftp
>> port-object eq ftp-data
>> port-object eq https
>> port-object eq www
>>access-list OUTIN permit tcp any host 192.165.164.7 object-group
>>SRVCGRP1access-list OUTIN permit tcp any host 192.165.164.5 object-
>>group SRVCGRP2
>>access-list OUTIN permit icmp any any
>>access-list OUTIN permit tcp any host 192.165.164.8 object-group
>>SRVCGRP3access-list INOUTNAT0ACL permit ip 172.16.25.0
>>255.255.255.0 172.16.27.0
>>255.255.255.224
>>access-list INOUTNAT0ACL permit ip 172.16.25.0 255.255.255.0
>>172.16.25.0
>>255.255.255.192
>>access-list DMZOUTNAT0ACL permit ip 172.16.26.0 255.255.255.0
>>172.16.25.0 255.255.255.192
>>access-list DMZOUTNAT0ACL permit ip 172.16.26.0 255.255.255.0
>>172.16.27.0 255.255.255.224
>>access-list VPN0SPLITTUNNELACL permit ip 172.16.25.0 255.255.255.0 any
>>access-list VPN0SPLITTUNNELACL permit ip 172.16.26.0 255.255.255.0 any
>>pager lines 24
>>logging on
>>logging trap informational
>>icmp permit any outside
>>icmp permit any inside
>>mtu outside 1500
>>mtu inside 1500
>>mtu dmz 1500
>>ip address outside 192.165.164.14 255.255.255.240
>>ip address inside 172.16.25.1 255.255.255.0
>>ip address dmz 172.16.26.1 255.255.255.0
>>ip audit info action alarm
>>ip audit attack action alarm
>>ip local pool VPNIPPOOL 172.16.27.5-172.16.27.25
>>ip local pool x 172.16.99.1-172.16.99.2
>>pdm location 172.16.25.0 255.255.255.0 inside
>>pdm logging debugging 300
>>pdm history enable
>>arp timeout 14400
>>global (outside) 1 interface
>>nat (inside) 0 access-list INOUTNAT0ACL
>>nat (inside) 1 172.16.25.0 255.255.255.0 dns 0 0
>>nat (dmz) 0 access-list dmz_outbound_nat0_acl
>>static (inside,outside) 192.165.164.4 172.16.25.4 dns netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.5 172.16.25.5 dns netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.6 172.16.25.6 dns netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.7 172.16.25.7 dns netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.10 172.16.25.27 netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.11 172.16.25.28 netmask
>>255.255.255.255 0 0
>>static (inside,outside) 192.165.164.8 172.16.25.8 netmask
>>255.255.255.255 0 0
>>access-group OUTINACCESS in interface outside
>>route outside 0.0.0.0 0.0.0.0 192.165.164.1 1
>>timeout xlate 3:00:00
>>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
>>h225
>>1:00:00
>>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
>>timeout uauth 0:05:00 absolute
>>aaa-server TACACS+ protocol tacacs+
>>aaa-server RADIUS protocol radius
>>aaa-server LOCAL protocol local
>>http server enable
>>http 172.16.25.0 255.255.255.0 inside
>>no snmp-server location
>>no snmp-server contact
>>snmp-server community public
>>no snmp-server enable traps
>>floodguard enable
>>sysopt connection permit-ipsec
>>sysopt connection permit-pptp
>>sysopt connection permit-l2tp
>>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>>crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>>crypto map outside_map interface outside
>>isakmp enable outside
>>isakmp policy 20 authentication pre-share
>>isakmp policy 20 encryption 3des
>>isakmp policy 20 hash md5
>>isakmp policy 20 group 2
>>isakmp policy 20 lifetime 86400
>>vpngroup VPN0 dns-server 172.16.25.7 192.165.160.179
>>vpngroup VPN0 default-domain supernova.com
>>vpngroup VPN0 split-tunnel VPN0SPLITTUNNELACL
>>vpngroup VPN0 idle-time 1800
>>vpngroup VPN0 password ********
>>telnet 172.16.25.0 255.255.255.0 inside
>>telnet timeout 5
>>ssh 172.16.25.0 255.255.255.0 inside
>>ssh timeout 5
>>console timeout 0
>>vpdn group VPN1 accept dialin pptp
>>vpdn group VPN1 ppp authentication pap
>>vpdn group VPN1 ppp authentication chap
>>vpdn group VPN1 ppp authentication mschap
>>vpdn group VPN1 ppp encryption mppe auto
>>vpdn group VPN1 client configuration address local VPNIPPOOL
>>vpdn group VPN1 client configuration dns 192.165.160.180
>>192.168.100.47vpdn group VPN1 pptp echo 300
>>vpdn group VPN1 client authentication local
>>vpdn username user1 password ********
>>vpdn username user2 password ********
>>vpdn username user3 password ********
>>vpdn username user4 password ********
>>vpdn enable outside
>>username administrator password 0123456789 encrypted privilege 15
>>terminal width 80
>>Cryptochecksum: 00000000000000000000000000000000
>>
>>
>>
>>
>>TIA
>>Paolo
>>
>>
>>_______________________________________________
>>firewall-wizards mailing list
>>firewall-wizards@listserv.icsalabs.com
>>https://listserv.icsalabs.com/mailma...rewall-wizards
>>
>>
>>

>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@listserv.icsalabs.com
>https://listserv.icsalabs.com/mailma...rewall-wizards
>
>
>


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards